Let’s face it, privacy is a busy space right now. Regulations, guidelines, best practice and privacy news are constantly developing. And sometimes, quite frankly, it’s hard to keep up with it all. Sure, we try to distill it down for you with our Daily Dashboard and weekly regional newsletters, but we thought it may help to distill things further for you by presenting the top-five most-read stories of the week. So here’s our inaugural list for this week, going back to last Friday (to be fair to that glorious end-of-the-week day). 

Perhaps it’s a reflection of the flurry of privacy developments in the U.S. right now, but all five top news stories this week are U.S.-centric. No doubt, the California Consumer Privacy Act has rippled through the privacy community in the U.S. If this were April 2018, all five stories may well have been EU-centric because of the then-looming EU General Data Protection Regulation implementation. 

1. Sen. Markey introduces ‘Privacy Bill of Rights Act’
Read More

2. Are GDPR-compliant companies prepared for the CCPA: An IAPP FAQ, by Caitlin Fennessy, CIPP/US
Read More

3. US state comprehensive privacy law comparison, by Mitchell Noordyke, CIPP/E, CIPP/US
Read More

4. The Privacy Advisor Podcast Special Edition: Edelson on his firm’s $925M privacy class-action win, by Angelique Carson, CIPP/US
Read More

5. Perspective: A milestone for privacy self-regulation, by Lou Mastria
Read More

Photo by Franck V. on Unsplash

The winds of regulatory oversight for artificial intelligence are blowing in the U.S. and Europe. The European Commission signed off on its Ethical Guidelines for Trustworthy AI earlier this month, the culmination of several months of deliberations by a select group of “high-level experts� plucked from industry, academia,  research and government circles. In the advisory realm, the EU guidance joins forthcoming draft guidance on AI from a global body, the Organization for Economic Cooperation and Development.

Meanwhile, U.S. federal lawmakers want something on the books. A new bill proposed by Sen. Ron Wyden, D-Ore., Sen. Cory Booker, D-N.J., and Rep. Yvette D. Clarke, D-N.Y., would require large corporations to subject their algorithmic systems to automated decision system and data protection impact assessments. And, in February, U.S. representatives proposed their own guidelines for ethical AI in a House Resolution.

The EU’s guidance hinges on the notion of trustworthy AI or AI that is lawful, ethical and robust. The fact that the detailed Brussels guidance went through a collaborative and likely combative multi-stakeholder tuning process is evident in its length and complex Russian doll-esque structure of components, principles and requirements. Still, coming from the same body that gave us the tectonic privacy plate-shifting GDPR, it could influence AI ethical standards across the globe.

Four principles or “ethical imperatives� call for AI systems to respect human autonomy, prevent harm, incorporate fairness and enable explicability. Another layer of guidance advises that AI respect human dignity, individual freedom, democracy, justice, the rule of law, equality, non-discrimination, solidarity and citizens’ rights. The document then translates those goals into concepts that apply directly to more technical considerations for AI, such as resilience to attack, data quality and privacy, avoidance of unfair bias, auditability, transparency and explainability for AI-based decisions. Finally, a list of more practical methods for implementation follows.

The meaning of lawful AI

The official guidelines make clear that “A number of legally binding rules at European, national and international level already apply or are relevant to the development, deployment and use of AI systems today.�  This emphasis on “lawful� AI seems to be an important distinction between this final version of the document and an earlier draft.

“The emphasis on Lawful AI in the official guidelines indicates that the implementation of existing law is part of the practice of AI Ethics,� said High-Level Expert Group Member Gry Hasselbalch, a co-founder of Denmark-based data policy think-tank DataEthics, in an email sent to Privacy Tech.

We can expect lawyers and decision-makers to read the tea leaves sprinkled throughout this document to get a sense for whether the prominence of the lawfulness concept indicates that current European law, such as the General Data Protection Regulation, the EU Charter of Fundamental Rights and anti-discrimination directives suffice in delivering protections against potential AI-enabled harms or not.

There still is debate as to whether the GDPR’s right to an explanation applies to AI and decisions made by autonomous technologies. However, Chris Hankin, co-director of the Institute for Security Science and Technology and a professor of Computing Science at Imperial College London, said he thinks that aspects of that privacy regulation already address ethical AI considerations, particularly the right to an explanation.

Bottom line, the question people in the AI industry or entities employing AI want answered is: “Will Europe regulate or establish new laws for AI?�

Hasselbalch said there’s no telling yet. “We are an independent expert group, so what the official EU system will do, we don’t know. But I assume that they will listen to the experts they appointed themselves.�

The EU will soon be joined by the OECD’s Committee on Digital Economy Policy, which is set to publish its own draft recommendations for intergovernmental AI policy guidelines in May, based on final guidance approved by its global expert group representing policy, privacy and corporate tech earlier this year. Those recommendations are expected to mirror some of those seen in the EU guidance including human-centered values and fairness, transparency and explainability, robustness, safety and accountability.

Many of these same principles are present in other guidance for ethical AI from national governments and trade groups, including the Association of Computing Machinery and the Institute for Electrical and Electronics Engineers.

Next step: EU policy

For the EU, establishing advisory guidance is just the first half of the process. As noted in the guidelines, “To the extent we consider that regulation may need to be revised, adapted or introduced, both as a safeguard and as an enabler, this will be raised in our second deliverable, consisting of AI Policy and Investment Recommendations.� That policy crafting is underway currently.

Hankin suggested the European Commission could use the upcoming policy component of the guidelines to influence discussion around a directive or potential regulation. “I wouldn’t be surprised to see the Commission pick up the policy document when it’s produced and use it to start a debate … but we’re at the start of a very long process,� he said.

Photo by Wesley Tingey on Unsplash

Greetings from Portsmouth, New Hampshire!

It was another busy week here at IAPP headquarters as we gear up for our Global Privacy Summit in Washington. This one’s shaping up to be … yes, you guessed it … our biggest one ever. Hopefully, you’ve purchased your ticket already, because space is limited, and seats are going quickly. For those who are attending, don’t hesitate to say “hi” if you see me. I’d love to connect and hear about what you’re up to. 

Clearly, we’re not the only ones who are busy. I think it’s safe to say that the privacy profession as a whole, and especially here in the U.S. right now, is frantically working with all the operational, compliance, technological and legal challenges that are required day-in and day-out. 

Knowing that everyone is so busy, we’re always tinkering with ways to present you with content that is easy to consume (or in-depth, if you need it that way). That’s why for years we’ve published short news summaries in our Daily Dashboard and weekly, regional newsletters. But we also realize that sometimes even those are too much. Maybe you just need a quick-hit, what’s-big-in-privacy-news-this-week content. 

To help, we’re offering up the week’s top-five most-read stories each Friday. I include mention of that here, not only to introduce you to our weekly recap, but also because this week’s top-five most-read stories all involve U.S. privacy developments. 

There was clearly lots of interest in Sen. Ed Markey’s proposed “Privacy Bill of Rights Act.” But not far behind were two resources on frequently asked questions about the CCPA and a comparison table of U.S. state comprehensive privacy laws. For the former, IAPP Senior Privacy Fellow Caitlin Fennessy focused on FAQs related to CCPA compliance for companies that are already GDPR compliant. For those interested, there are some super-practical answers in her post. Westin Privacy Fellow Mitchell Noordyke has been diligently tracking all things U.S. privacy law and, this week, offered a comparison table focusing only on comprehensive state privacy laws. We’ll continue to update this chart as more comprehensive bills come forth. 

It was also yet another busy week for Privacy Advisor Editor Angelique Carson as she posted not one, but two, podcasts, the first of which was a special edition podcast with Jay Edelson on his firm’s big $925 million privacy class-action win last Friday. For those going to Summit in a couple of weeks, she’ll continue the conversation with Jay, along with Doug Meal, in a follow-up live podcast. A not-to-be-missed conversation for sure. 

Last Friday, we also featured a write-up from the DAA’s Lou Mastria, who highlighted the self-regulatory work of the Advertising Self-Regulatory Council of the Council of Better Business Bureaus. Coming off their 100th public compliance action, Lou described what goes into these self-regulatory activities, arguing that it’s a “tested and proven approach to managing safeguards in dynamic marketplaces.” 

OK, that’s enough from me for now, but in the meantime, hopefully you get a bit of time to relax before next week’s onslaught.

Greetings from Brussels!

CNIL President Marie-Laure Denis gave her first official interviews this week coinciding with the release of the French authority’s 2018 activity report. If you want an overview of the report’s main points, you can find an English summary here. As you will know, there was a change of guard at the CNIL in early February with the appointment of Denis. It was certainly welcome to see her inaugural interviews in “Le Monde” and “La Tribune.”

She stated that the GDPR has facilitated increased French awareness around data protection. The CNIL website registered a staggering 8 million unique visitors last year, according to one of her recent interviews, which is almost an 80% increase on the year before. This enhanced awareness was also reflected in a record number of complaints to the CNIL, up by 33%, with a third of the complaints centered around the dissemination of personal data on the internet, as well as 20% concerning marketing and commercial practices.

Denis also said there are approximately 17,000 DPOs acting on behalf of more than 51,000 organizations; notably, this number reflects internal, outsourced and “shared” DPO functions. With more than 4 million companies in France, Denis acknowledged that while not all organizations will require a DPO by default, she reconfirmed the CNIL estimate for the need of 80,000 DPOs under the provisions of the GDPR. 

There is still much uncertainty around the handling of complaints as the CNIL interacts with other EU member state DPAs. The CNIL continues to receive many questions involving corporate obligations around data protection and breach notifications. It is also interesting to note that since GDPR came into effect, breach notifications increased in 2018. However, and conversely in 2019 to date, leading French privacy pros informed me that breach notifications to the CNIL have dropped off significantly.

Denis stated that the authority will continue to support French organizations, acknowledging that not all entities have the same capacity to meet their obligations. However, taken that the GDPR was adopted in 2016, Denis felt that sufficient time and support has been afforded organizations to comply with the regulation, and now it is time to show more determination and firmness on controls and enforcement.

For 2019, priorities are clear: Ensuring that data subject rights, such as access, rectification and deletion are respected. More focus will be directed at processors and subcontractors as keys to personal data flows. Finally, the CNIL will also step up its monitoring in the area of new rights of minors and parental consent for children under 15.

At the macro level, Denis sees an augmented role for the CNIL as an effective digital regulator ahead to anticipate and innovate for social and economic changes in the digital era. On the international scene, the CNIL intends to continue to maintain a leading role within the EDPB, and outside the EU, it will continue to prioritize cooperation that fosters the convergence of data protection principles worldwide.

This year heralds new energy and promise in Marie-Laure Denis, and I think it is fair to say we have another strong and confident leader taking the reins of the French authority.

Greetings, fellow privacy professionals.

Hong Kong was privileged to have an all-star-filled ISACA Asia Pacific conference in early April, where the IAPP was present and able to spread the word on the ongoing importance of privacy. The convergence of cybersecurity and privacy was discussed, and fellow panelists and I discussed the impact and the areas of growing concern.

One such area relates to the massive growth of internet-of-things devices, the cybersecurity, privacy issues and risks to all. With the significant drop in production costs of sensors and cameras, we have seen IoT devices with embedded sensors/cameras become ubiquitous with everyday life — from wearables, household gadgets to children’s toys. Just this week, an Australian company that sells smartwatches, which allows parents to remotely monitor their children, had to shut down its service after hackers were able to breach through vulnerabilities to track and change the child’s location while gaining full access to personal identifiable information of the parent. And just this week, one of Hong Kong’s top celebrity couples is now embroiled in a scandal in regards to a driver who made a racy recording of the pop icon with another woman (not his wife…) in the back passenger seat. The hot debate now includes the rights of the passengers (victims) and whether the driver who recorded the video was in breach of Hong Kong laws. 

In other news, the IAPP will hold our very own Data Ethics KnowledgeNet Meeting & Privacy After Hours, Thursday, 23 May, with a focus on ethical accountability and artificial intelligence. Data ethics has become a hot topic recently, and for a good introduction into data ethics, I encourage you to view an IAPP web conference recording here.  The Privacy Commissioner for Personal Data, Hong Kong office, will also be hosting one of its own events on “Data Ethics in Actionâ€� in May, with a brief synopsis here: “We revised the Best Practice Guide on Privacy Management Programme … last year to assist organisations in constructing a comprehensive PMP. We recently released a study report on the implementation of PMP by data users in Hong Kong. Against this background, we have assembled corporations and industry leaders from different professions and industries to speak at the Symposium on their insights and experience on how their organisations develop their PMP and adopt data ethics to enhance accountability and trust with their customers.â€� If you are in Hong Kong and interested in attending, then please click here to register.

Finally, great to see the IAPP Asia Pacific Forum website live now with all the details and schedule for the event in July in Singapore. Looks like there will be some really great sessions and speakers from all over the globe, and I look forward to seeing you there. I will be moderating a panel called, “GDPR (1 Year Later): Lessons From Data Breach Victims and Security Professionals,� so please come by!

Keep safe, keep secure.
Jason

The California Consumer Privacy Act is top of mind for many privacy professionals across the U.S., who are working to leverage their GDPR preparation to build CCPA-compliance programs. They are learning that while their recent GDPR preparation is helpful, the CCPA has nuanced requirements that go beyond the GDPR. After listening to two useful web conferences comparing the CCPA and GDPR, IAPP Senior Privacy Fellow Caitlin Fennessy, CIPP/US, wondered if companies outside of the U.S. have realized that California-specific adjustments will be needed. To help address some of these significant issues, Fennessy has compiled and answered 10 frequently asked questions that might be helpful to privacy professionals around the globe. A general caveat, though: The following should not be construed as legal advice. 
Full Story

The California Consumer Privacy Act is top of mind for many privacy professionals across the U.S., who are working to leverage their GDPR preparation to build CCPA-compliance programs. They are learning that while their recent GDPR preparation is helpful, the CCPA has nuanced requirements that go beyond the GDPR. Emphasis is often placed on the novel “Do Not Sell My Personal Information� link.

After listening to two useful web conferences comparing the CCPA and GDPR (available here and here, in case you missed them), I wondered if companies outside of the U.S. have realized that California-specific adjustments will be needed. If not, the CCPA’s private right of action and what many consider the litigious nature of the U.S. might soon draw the attention of foreign C-suites.

Participants in the two recent web conferences posed a number of questions, highlighting the challenges privacy pros face in understanding the developing legal landscape. We thought addressing the following 10 frequently asked questions might be helpful to privacy professionals around the globe. A general caveat, though: The following should not be construed as legal advice.

Question: Does the CCPA apply to companies based outside of California?

Answer: Yes, the CCPA will generally apply if doing business in California and collecting the personal information of a California resident. The CCPA grants a “consumer� various rights with regard to personal information held by a “business,� including the rights of notice, access, deletion, portability and reasonable security. It also requires a business that “sells� “personal information� to “third parties� to provide a clear and conspicuous link on the business’s internet homepage, titled “Do Not Sell My Personal Information,� to an internet webpage that enables a consumer or a person authorized by the consumer to opt out of the sale of the consumer’s personal information, among other requirements. The definitions cited above are critical to understanding the law’s jurisdictional and material scope and are explained in response to the following FAQs.

Q: Does the CCPA apply only to consumers or also to employees and other individuals?

A: While the CCPA refers throughout to a “consumer,� currently, the law’s definition of “consumer� is not limited to those engaged in commercial activity, but rather to the residency status of a natural person. The bill’s definition of consumer is “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.� Further, the bill’s definition of personal information includes “professional or employment-related information.�

Q: Does a California resident have rights under the CCPA if outside of California? Does the CCPA apply to nonresidents visiting California?

A: The bill’s definition of a California resident is provided in Section 17014 of Title 18 of the California Code of Regulations, as that section read Sept. 1, 2017. This provides, in part:

[quote]“The term “resident,� as defined in the law, includes (1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents.�[/quote]

The CCPA also states that:

[quote]“The obligations imposed on businesses … shall not restrict a business’s ability to…[c]ollect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.�[/quote]

The CCPA further provides that a covered business will not be “required [to place] links and text on the homepage that the business makes available to the public generally, if the business maintains a separate and additional homepage that is dedicated to California consumers and that includes the required links and text, and the business takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally.�

Taken together, these provisions highlight the decisions both U.S. and foreign businesses will face when collecting and sharing personal information that might include the data of Californians. Should businesses provide the required “Do Not Sell My Personal Information� link and protections globally only in the U.S. or just to Californians?

Q: Does the CCPA govern nonprofit organizations?

A: The CCPA defines “business� as a sole proprietorship, partnership, limited liability company, corporation, association or other legal entity that is organized or operated “for the profit or financial benefit of its shareholders or other owners,� that collects consumers’ personal information, or on the behalf of which such information is collected and that alone or jointly with others determines the purposes and means of the processing of consumers’ personal information, does business in the state of California, and satisfies certain revenue or data-processing thresholds.

Q: Does the CCPA apply to small businesses?

 A: The CCPA applies to “businesses� that meet one or more of the following thresholds:

• Has annual gross revenues in excess of $25,000,000, as adjusted pursuant to Paragraph 5 of Subdivision A of Section 1798.185.
• Alone or in combination, annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices.
• Derives 50% or more of its annual revenues from selling consumers’ personal information.

Q: Does “selling� include sharing personal data with affiliated organizations?

A: Answering this question requires understanding several definitions under the CCPA, including not only “selling,� but also “business,� “business purposes,� “service provider,� “personal information� and “third party.�

“Sell� is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.�

There are exceptions to this general definition, including when the individual directs the transfer of information or the business shares information pursuant to a contract with a service provider for a business purpose of which the consumer has been informed.

Under the CCPA, sharing personal information with an affiliate for valuable consideration would generally be considered a sale if the affiliate is considered a third party. This would be the case unless the affiliate controls or is controlled by the “business� and shares common branding with the business or is a service provider with whom the information is shared pursuant to a contract for a business purpose of which the consumer has been informed.

Q: If a business has entered into a controller-processor data protection agreement with a vendor, is it reasonable to assume the transfer of data to that vendor will not be considered a “sale” under the CCPA? How should businesses categorize and manage service providers differently from third parties in terms of contracts and CCPA obligations?

A: To avoid a data transfer to a vendor being considered a “sale� under the CCPA, the transfer must be to fulfill a business purpose of which the consumer has been informed, and it must be governed by a written contract. The contract with a “service provider� to process personal information on behalf of the “business� must prohibit the service provider “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by [the CCPA], including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.�

Q: Does the required “Do Not Sell My Personal Information� link need to go on mobile sites/apps, as well?

A: A business that sells personal information about the consumer to third parties must provide a clear and conspicuous link on the business’s internet “homepage,� titled “Do Not Sell My Personal Information.� In the case of an online service, such as a mobile application, “homepage� means the application’s platform page or download page; a link within the application, such as from the application configuration, “About,� “Information,� or settings page; and any other location that allows consumers to review the notice required before downloading the application.

Q: What are key differences between the CCPA and GDPR on which businesses adapting a GDPR-compliance program to CCPA should focus?

A: While there are numerous differences, described in great detail here, areas to focus include:

• The definition of personal data under the CCPA, which is broad and explicitly includes household data. It states, in part: “’Personal information’ means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household …â€�
• New consumer rights and associated business requirements, particularly those associated with the “saleâ€� of personal data, including the requirement that a business that sells a consumer’s personal information to third parties provide a clear and conspicuous link on its internet homepage, titled “Do Not Sell My Personal Information,â€� to an internet webpage that enables the consumer to opt out of the sale of the personal information.
• The categorization of information shared for “business purposesâ€� versus “commercial purposesâ€� and required disclosures pursuant to a consumer access request.
• Required contractual terms when sharing personal data with “service providers.â€�

Q: Does the CCPA enter into force Jan. 1, 2020, or July 1, 2020?

A: The CCPA enters into force Jan. 1, 2020. On Aug. 31, 2018, the California State Legislature passed SB-1121, which:

• Extended the deadline for the attorney general to adopt the law’s implementing regulations from Jan. 1, 2020, until July 1, 2020.
• Delayed the attorney general’s ability to enforce the bill until six months after the publication of those regulations or July 1, 2020, whichever comes sooner.

Given those amendments, the attorney general could enforce the new law prior to July 1, 2020, only if the attorney general adopts implementing regulations prior to Jan. 1, 2020. The fact that the amendments provided the attorney general additional time beyond Jan. 1 to adopt the regulations makes it unlikely (though not impossible) that they will be adopted sooner.

Photo by Sasha • Stories on Unsplash

The European Data Protection Board has released a version of its Guidelines 2/2019 on processing personal data under Article 6(1)(b) of the EU General Data Protection Regulation for public consultation. The guidelines cover the applicability of data processing “in the context of contracts for online services, irrespective of how the services are financed.� The EDPB document offers an analysis of Article 6(1)(b), how the article interacts with “other lawful bases for processing,� and its applicability in certain situations. The EDPB announced it will accept comments on the guidelines until May 24.
Full Story

On Tuesday, April 2, 2019, the Texas House Committee on Business and Industry held a public hearing (testimony starts at the 4:13:55 mark) on House Bill 4390, also known as the Texas Privacy Protection Act, and House Bill 4518, also known as the Texas Consumer Privacy Act. An overview of both bills as filed is available here. Both bills received a mix of testimony in support and opposition. In addition to the verbal testimony heard in committee, several other stakeholders registered their testimony for or against each bill.

Testimony on HB 4390, aka the Texas Privacy Protection Act

Rep. Giovanni Capriglione, R-Texas, the bill’s author, began by presenting it to the committee — no notes, nothing rehearsed, just a candid conversation on why he authored this legislation. Capriglione started by pointing out that another representative was using hand sanitizer and that now we will surely all see advertisements for hand sanitizer in the next few days. He added, “What my bill aims to do is to provide a little bit more regulation, a little bit more oversight, into the information that is being collected on us, about us, every single day without our knowledge — a lot of times without our permission — and is being used in ways that can negatively affect our credit scores, our health insurance premiums, or car insurance premiums, and even what kind of cars and hotels you’ll be able to get into.â€�

Stephen Scurlock, testifying neutral on the bill on behalf of the Independent Bankers Association of Texas, stated that other entities should be subject to regulations similar to the Gramm-Leach-Bliley Act, just as banks are. He went on to testify that “any entity keeping personally identifiable information should be subject to the same rigorous standards we live under, and while breaches happen, both consumers and banks who do bear the brunt of losses from these breaches, would be much better off if that standard were adhered to.� John Heasley, testifying in favor of the bill on behalf of the Texas Bankers Association, also emphasized that other entities should be subject to regulations similar to the GLBA.

Sarah Matz, director of state government affairs for the Computing Technology Industry Association, expressed opposition to the bill, stating the legislation, as filed, is modeled after the California Consumer Privacy Act and “while these laws were developed with the best of intentions, they are more likely to result in significant compliance costs and stifle innovation, rather than improving consumer safety.�

She suggested that instead of moving forward with legislation at the state level, Texas should continue to study the evolution of the CCPA and continue a dialogue with impacted stakeholders.

Deborah Giles, testifying against the bill on behalf of the Texas Technology Consortium, conveyed that data privacy regulation should be handled at the federal level and not at the state level. She added, “We’ve already seen signs of every state doing everything differently, and we look at the internet and data privacy, and feel like if 50 states have 50 different laws, what it could do as far as the consequences of costing business would be exorbitant.�

In response, Rep. Michelle Beckley, D-Texas, raised concern that federal legislation could take too long, stating that “right now, [federal legislation] seems like it’s just an idea, whereas we have something we can vote on.� Ms. Giles jovially responded, “I completely agree with you – it’s the other states that scare the ‘begeebees’ out of us.�

James Hines, who also opposed the bill on behalf of the Texas Association of Business, stated that “we do urge that we work with our congressional members on a national framework, and the reason we are in favor of a single national framework is because of the nature of the internet – the internet has no borders.�

Rep. Jared Patterson, R-Texas, responded, “…we can see what works in the different states. Texas a lot of times leads the way on that, and then other states adopt what works best… I think we can probably do it better than DC.� Beckley also added that states adopting their own data privacy laws could be the very thing that leads to a single national framework.

The final witness, Chris Humphreys, testifying in favor of the bill on behalf of himself and the Anfield Group, stated, “It’s inevitable, [the EU General Data Protection Regulation] or GDPR-lite is going to be here at the federal level eventually. We are delaying the inevitable by not doing anything now.� Humpheys said bill presents an opportunity for Texas to handle data privacy their way, and ultimately federal legislation may be developed that lands somewhere between Texas and California.

Capriglione closed on the bill by respectfully disagreeing that Congress will reach consensus on federal legislation anytime soon and that Texas has an opportunity to implement these protections now. He also clarified that this legislation is not modeled after the CCPA.

Testimony on HB 4518, aka the Texas Consumer Privacy Act

The committee received far less testimony on HB 4518, but this was in large part due to the fact that most witnesses did not want to repeat similar testimony just laid out on HB 4390.

Rep. Martinez Fischer, D-Texas, said, “I fully appreciate and recognize that there might be ‘higher-ups’ in the federal government that could grade our papers on this, and come up with a solution that can be applied to the entire nation. But unless and until that happens, I think we can’t just sit on our hands and watch time go by.�

The only additional witness who testified on HB 4518 but did not testify previously on HB 4390 was David Foy, testifying against the bill on behalf of RELX/Lexis Nexis. Foy stated that this bill is very close, if not identical, to the CCPA and that California is now on the third iteration of that legislation. He stated that “there are currently 40 bills filed right now in California being discussed to go back and fix and try to address what happened in 2018.� He added that to this date, there have been about 30 bills filed nationwide and that California is the only state to have adopted it.

He reiterated that experts from the privacy and business industries need to collaborate to get this right before implementing legislation too quickly.

Next legislative steps

Now that both bills have received public testimony, they await a committee vote and then would head to the full Texas House of Representatives. From there, the bills still need to clear committee and floor votes in the Texas Senate before heading to the governor’s desk. As the 86th Texas Legislative Session ends May 27, both bills are racing against the clock.

Photo by Jeremy Banks on Unsplash

The European Commission released a 255-page study on EU General Data Protection Regulation data protection certification mechanisms, examining Articles 42 and 43 of the Regulation, according to Hunton Andrews Kurth’s Privacy & Information Security Law Blog. Meanwhile, the European Data Protection Board is now accepting comments on Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects. Comments will be accepted until May 24.
Full Story

Following the implementation of the EU General Data Protection Regulation nearly a year ago, European regulators are struggling to keep pace with data breach notifications, The Wall Street Journal reports. IAPP President and CEO J. Trevor Hughes, CIPP, said, “There’s been a real concern about the sheer volume of work that is arriving at the regulators’ doorsteps.� Zurich Insurance Group AG Global Head of Cyber Risk Lori Bailey expects that with time, there will be more predictability for how regulators will react and fine companies for incidents but noted, “we’re just not there yet.� Meanwhile, Insurance Europe released a position paper in response to the European Commission stocktaking exercise on the application of the GDPR. (Registration may be required to access this story.) 
Full Story

In this week’s Privacy Tracker global legislative roundup, learn about the European Commission’s study on data protection certification mechanisms under the EU General Data Protection Regulation. EU Commissioner for Justice, Consumers and Gender Equality VÄ›ra Jourová explains why the U.S. government needs to adopt stronger privacy laws, Hong Kong may be preparing to alert its position on the enforcement of data breaches, and the Office of the Privacy Commissioner of Canada announced it plans to revise its policy position on trans-border data flows under the Personal Information Protection and Electronics Documents Act.  

LATEST NEWS

California Senate Bill 561, the proposed bill created to expand the private right of action under the California Consumer Privacy Act, has been referred by the state’s Senate Judiciary Committee to the Senate Appropriations Committee by a 6-2 vote.
More

Czech Republic President Miloš Zeman signed the Data Protection Act and the Accompanying Act into law.
More

The European Commission released its study on data protection certification mechanisms under the EU General Data Protection Regulation.
More

The European Data Protection Board announced it will accept comments on Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) of the EU General Data Protection Regulation until May 24.
More

Ghana Minister of Communication Ursula Owusu-Ekuful announced the country’s government intends to launch a Cyber Security Authority to handle cyber incidents.
More

Amendments to Massachusetts’ Data Breach Notification Law went into effect April 11.
More

Sen. Ed Markey, D-Mass., introduced the “Privacy Bill of Rights Act.”
More

A Russian court fined Facebook approximately $47 for violations of the country’s data localization rules.
More

The U.K. Information Commissioner’s Office has proposed standards that would prohibit children from “liking” posts on social media platforms.
More

ICYMI

In this post for Privacy Tracker, Marval, O’Farrell & Mairal Partner Diego Fernández looks at the findings of Argentina’s Agency of Access to Public Information Annual Report 2018.
More

In this post for Privacy Tracker, GCA Advogados Partner Ana Carolina Cagnoni, CIPP/E, looks at the current state of Brazilian data protection rules and the upcoming future of the country’s General Data Protection Law.
More

Almost a year into the implementation of the EU General Data Protection Regulation, Falck A/S Legal Counsel Natalija Bitiukova, CIPP/E, CIPM, FIP, offers a look at Lithuania’s implementation efforts and discusses ongoing and upcoming investigations scheduled for the year ahead.
More

In this article for The Privacy Advisor, Santa Clara University’s Cyrus Borhani, CIPP/US, and Justin Banda report on Spain’s approval of a controversial data protection law to facilitate compliance with the country’s law to the EU General Data Protection Regulation and the concern that the rule application has deviated from the GDPR’s intended effect.
More

ASIA-PACIFIC

Australia’s Parliamentary Joint Committee on Law Enforcement has asked the government to be more transparent regarding plans to allow state and territory law enforcement access to the country’s face-matching service.
More

In a blog entry for Ince Gordon Dadds, Managing Associate Simon Cheng, CIPM, and Trainee Solicitor Suki Fung speculate that Hong Kong is preparing to alter its position on the enforcement of data breaches.
More

CANADA

The Office of the Privacy Commissioner of Canada announced it plans to revise its policy position on trans-border data flows under the Personal Information Protection and Electronic Documents Act.
More

The Canadian government is “actively considering� regulations against social media companies.
More

EUROPE

In an interview with Digiday, European Data Protection Supervisor Giovanni Buttarelli discussed the landscape of EU General Data Protection Regulation adoption among media and advertising businesses.
More

Ireland’s Data Protection Commission determined Irish citizens do not have the “absolute right” to have their names spelled correctly in public records.
More

At the 12th annual Data Protection Practitioners’ Conference, U.K. Information Commissioner Elizabeth Denham said implementation of the EU General Data Protection Regulation is at a “critical stage.�
More

US

In a post for Politico, EU Commissioner for Justice, Consumers and Gender Equality Věra Jourová explains why the U.S. government needs to adopt stronger privacy laws.
More

Sens. Cory Booker, D-N.J., and Ron Wyden, D-Ore., sponsored the Algorithmic Accountability Act, with Rep. Yvette Clarke, D-N.Y., sponsoring a House of Representatives equivalent.
More

A bill introduced by Sens. Mark Warner, D-Va., and Deb Fischer, R-Neb., would prohibit the use of alleged deceptive practices by social media companies.
More

The U.S. Department of Justice announced the release of a white paper on the Clarifying Lawful Overseas Use of Data Act.
More

The U.S. House of Representatives passed a restoration bill to reinstate net neutrality rules with a 232-190 vote.
More

U.S. lawmakers held hearings regarding content moderation as the conversation continues around how to regulate big tech while protecting free speech.
More

A coalition of advertising trade groups has joined forces to work with Congress on a federal U.S. privacy bill.
More

As the U.S. Federal Trade Commission holds a series of hearings to review privacy regulations, CreativeFuture has raised concern over adopting laws similar to the EU General Data Protection Regulation.
More

In an interview with Digiday, European Data Protection Supervisor Giovanni Buttarelli discussed the landscape of EU General Data Protection Regulation adoption among media and advertising businesses. On the topic of consent, Buttarelli said companies must take an active approach, rather than rely on checkboxes and opt-outs. “Even ticking a box does not necessarily mean consent is freely given,� Buttarelli said. “Unambiguous consent means it must not only be explicit but meaningful, not a case of pre-ticked boxes or a case where you have no alternative but to continue through to a website.� Buttarelli also discussed fines handed out by the U.K Information Commissioner’s Office and France’s data protection authority, the CNIL, against Facebook and Google respectively.
Full Story

Doctors in Ireland believe the Department of Health’s interpretation of the EU General Data Protection Regulation may halt their research, The Irish Examiner reports. The doctors’ concerns stem from the requirements to obtain explicit consent before processing patient data. In a review published in the Journal of Irish Medical Science, doctors reveal Ireland is the one country among the 28 EU member states that require health researchers to get an express statement of consent. The review also states the explicit consent requirement is “problematic for most (if not all) ongoing research when the re-consenting of patients is required,� particularly in regards to research involving biobanks and patients who are unable to consent.
Full Story